To recap what’s (probably) going on:

1. A malicious attacker has access to a network without BCP38 filtering.
2. They send TCP connection requests to port 22 on many random internet machines - possibly deliberately selecting known honeypots or networks known to send automated abuse complaints.
3. Those TCP connection requests use a spoofed source IP address, making the destination machines think the spoofed source sent that connection. They become the target of the automated abuse complaints.
4. With a large enough volume, the spoofed IP quickly becomes widely blacklisted from many internet entities following blocklists, and the hosting provider might take action due to many abuse reports and shut down the server for being compromised / malicious.